This chapter describes authentication, authorization, and accounting (AAA), with an emphasis on accounting. It starts with a general introduction to AAA, RADIUS, and Diameter, and then the various standards are discussed, along with voice-specific extensions. You will learn how to identify which AAA functions to use for which requirements and what Cisco has implemented.
With authentication, authorization, and accounting, each "A" describes a specific set of tasks to perform:
Authentication verifies that the users are who they say they are.
Authorization limits the user's activities to a set of policies, such as hours of operation, idle timeouts, filters, limiting service and connection access, and so on.
Accounting generates usage records that log the user's activities.
AAA was invented long before broadband and wireless Internet access became pervasive. It provides a mechanism for user access over dial-in connections, Telnet, SSH, and PPP. Remote access to the network occurs over a modem and a phone line to the Internet service provider (ISP). Users provide their username and password during the authentication process to a Network Access Server (NAS). It usually does not store these details locally but instead forwards the request to a database server that has the user credential information. RADIUS became the standard communication protocol between the NAS and the user database server, defined in RFC 2865 through 2869.
A typical AAA concept is based on a three-tier model, including a user, a client, and a server. With today's networks, the RADIUS RFC terminology can be slightly confusing, because the access server is called the "client," the back-end application is called the "server," and the user is not mentioned at all. A better terminology was introduced by RFC 2753, A Framework for Policy-Based Admission Control, distinguishing between a Policy Decision Point (PDP) and a Policy Enforcement Point (PEP). The PEP is the client component, equal to the RADIUS NAS, and the PDP describes the server component, similar to the RADIUS server. Because neither RADIUS nor Diameter uses the RFC 2753 terms, and to avoid the mingling of terminology, we use the RADIUS terms, even though in some scenarios they do not match perfectly, such as with controlling Telnet login into a router.
From an implementation perspective, the user connects to the network element (NAS)—in this case, a Cisco router. The NAS is responsible for passing user information to a RADIUS server, typically running on UNIX or Windows systems. The server is responsible for receiving the NAS requests and returning responses, indicating that it successfully received the initial request.
Figure 9-1 shows the different RADIUS components. The RADIUS naming convention is used, and the RFC 2753 terminology appears in brackets.
The following principles apply for AAA:
AAA is an improved logging system used for authentication, authorization, and accounting. In PPP, SLIP, and dial-in networks, AAA is not enabled primarily for accounting, but for authentication and authorization instead. In contrast, for voice scenarios, AAA is primarily used for accounting. For example, in H.323 voice signaling networks, H.325 instead of AAA is used for authentication. In a Session Initiation Protocol (SIP) voice signaling network, HTTP basic or digest is used for authentication, not AAA.
AAA collects incoming and outgoing packets/bytes.
Each session can generate start and stop records:
- "Accounting request start" with the start time
- "Accounting request stop" with the stop time and a full accounting record
AAA is adequate for billing because the username gets reported.
AAA is supported on all switching paths.
It is relevant to note that AAA is not limited to controlling user access; it can also control the operator's access to network devices or even command execution at a network element. Consequently, several types of accounting are possible with AAA; Cisco IOS Software supports five different kinds:
Network accounting collects usage records for network access (over dial-in, broadband, or wireless).
Connection accounting provides information about all outbound connections made from the NAS, such as Telnet and rlogin.
EXEC accounting gathers information about user EXEC terminal sessions (user shells) on the NAS, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.
System accounting provides information about all system-level events (for example, when the system reboots, or when accounting is turned on or off).
Command accounting supplies information about the EXEC shell commands for specified privilege levels that are being executed on a NAS. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed and the user who executed it.
The authors think that in the preceding list, the RADIUS terminology (in particular, the NAS term) is inadequate. However, in an attempt to reduce the potential for confusion, we decided to use RADIUS terms.